U.S. Indictment of Sandworm Highlights the Importance of Protecting Active Directory

By Sean Deuby October 29, 2020 | Active Directory

The latest development in the 2017 NotPetya Attack saga should be a reminder for organizations that it only takes a handful of cybercriminals to take down all of your operations.  

Last week, the US Department of Justice announced charges including computer fraud and conspiracy against six hackers of the cybercriminal group known as Sandworm who are confirmed members of Russia’s GRU military intelligence agency.  

Sandworm is believed to be behind attacks that disabled part of Ukraine’s power grid in 2016, meddled with 2017 French elections, destroyed computers used in the 2018 Winter Olympics, and most notably, responsible for the notorious NotPetya attack. 

The NotPetya attack impacted organizations in 65 countries worldwide, causing an estimated $10 billion dollars of damage. One example of such organizations from the headlines is the world’s largest shipping company, Maersk. According to reports, Maersk’s network was crippled within a matter of minutes with the malware damage complete within an hour. Maersk lost all of its online Active Directory (AD) domain controller servers, along with their backups. Their saving grace was one powered down domain controller in their Accra, Ghana office. 

It took Maersk nine days to recover AD. Maersk’s CISO, Andy Powell, was quoted as saying “Nine days for an Active Directory recovery isn’t good enough, you should aspire to 24 hours; if you can’t, then you can’t repair anything else.”

The story was covered over at wired.com by noted cybersecurity journalist and author of Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, Andy Greenberg. We recently had the opportunity to sit down with Andy at the 2020 Hybrid Identity Protection conference and discuss what organizations can learn from destructive cyberattacks like NotPetya, and how to think about a fallback strategy. Andy stressed that “even more than defense, focus on resilience. You may not be able to prevent an attack, but you can be ready to respond to one and bounce back.” 

Lessons Learned: Are You Ready for the Next “NotPetya”?  

NotPetya occurred not too long ago, and most CISOs today were working in the IT industry at some capacity when it hit. Maersk was rather transparent about how badly they were hurt by NotPetya, enough that the details about the company completely losing their Active Directory were included in just about every tech article covering the attack. One would think CISOs would take note and the AD recovery strategy would look different today.

And yet, most organizations still don’t have a plan to ensure the recoverability of AD.

Sure, you take backups, and security solutions are in place to prop up a proper preventative security stance, but organizations today are still unprepared for an attack on AD of a NotPetya caliber. 

According to our recently released Recovering Active Directory from Cyber Disasters report, 84% of organizations admit a loss of AD domain controllers as part of a cyber attack would have a significant, severe, or catastrophic impact on the organization. 

Backups certainly play a role in a disaster recovery strategy, but with AD representing either the only or primary identity service in 58% of organizations, it’s imperative that you be ready for that “catastrophic” loss of AD. NotPetya proved it can happen. And yet, just over two-thirds (68%) of organizations either have no AD recovery plan, have a plan but haven’t tested it, or have not tested it within a year. 

Based on both the NotPetya attack and more recent cyberattacks involving AD, there are a few types of AD-targeted attack tactics you should expect and your response plan should address: 

  • AD Manipulation–AD’s ability to provide access to resources and control over users and endpoints puts it in the cybercriminal’s sites. It’s necessary to be able to return your AD to a known-good and known-secure state  
  • AD AvailabilityIn the Maersk attack, the master boot record of each Domain Controller got encrypted, rendering them unbootable. You must be able to recover everything from a single domain controller to the entire forest (with all its complexities) without risking malware reintroduction. 
  • No AD Backups–Many ransomware strains target Microsoft’s Volume Shadow Copy service, backup files by file type, and even attempt to access backup solutions via API. At a minimum, the 3-2-1 Backup rule applies here with one copy kept off-site. And for those organizations that recognize AD for the critical workload it is, having a solution that focuses on AD forest recovery creates a layered response strategy. This way you can count on the ability to remediate even if there are no viable backups 

The old adapted adage “those who fail to remember the past are doomed to repeat it” still rings true. And, if you’re one of the organizations that did not learn from Maersk’s experience recovering from NotPetya, the Sandworm indictment should serve as a reminder that the time is now to begin planning for when the next major cyberattack hits. 

About the author
Sean Deuby
Sean Deuby Director of Services
Sean brings 30 years’ experience in enterprise IT and hybrid identity to his role as Director of Services at Semperis. An original architect and technical leader of Intel's Active Directory, Texas Instrument’s NT network, and 15-time MVP alumnus, Sean has been involved with Microsoft identity since its inception. Since then, his experience as an identity strategy consultant for many Fortune 500 companies gives him a broad perspective on the challenges of today's identity-centered security. Sean is an industry journalism veteran; as former technical director for Windows IT Pro, he has over 400 published articles on AD, hybrid identity, and Windows Server. Linkedin
Unlock cyber resilience. Get a demo